Recommended Settings for Clinical Devices
The standards below are strongly recommended for iOS devices used in a clinical setting.
TIP:
Use the following list as a template for your configuration. You may find it useful to print the list and check off each setting for validation.
These recommendations will evolve over time. Imprivata welcomes your feedback and suggestions.
DEP Profile
Mobile Access Management can assign the device to the DEP profile, so it does not need to be the default profile.
| Authentication | ON |
| (Workspace ONE) Device Ownership Type | ON |
| (Workspace ONE) Device Organization Group | Your preference |
| Profile Name | GroundControl |
| Department | Anything |
| Support Number | Anything |
| Require MDM enrollment | Enabled |
| Supervision | Enabled |
| Lock MDM Profile | Enabled |
| Anchor Certificate | Disabled |
| Device pairing | Enabled |
| Supervision Identity Certificate | Upload Supervision Identity |
| Await Configuration | Disabled |
| Auto Advance Setup | Disabled |
| Setup Assistant | Skip all setup screens |
| Account Setup | Don't Skip |
| Account Type | Administrator |
| Create New Admin Type | No |
MDM Notification Profile
There must be one, and only one, notification profile.
| Epic Rover | Allow Notification | On |
| Show in Notification Center | On | |
| Show in Lock Screen | On | |
| Allow Badging | On | |
| Allow Sound | On | |
| Allow critical alert notifications | On | |
| Allow CarPlay | On | |
| Alert Style when unlocked | Banner | |
| Select group notification type | Do not group | |
| Imprivata Locker for iOS | Allow Notifications | On |
| Show in Notification Center | On | |
| Show in Lock Screen | On | |
| Allow Badging | On | |
| Allow Sound | On | |
| Allow critical alert notifications | On | |
| Allow CarPlay | On | |
| Alert Style when unlocked | Banner | |
| Select group notification type | Do not group |
MDM Restriction Profile
Multiple Restriction profiles are permitted, and the iOS device will coalesce them into the most restrictive version.
| OS Updates - Delay Updates | 90 days |
| Allow use of camera | On |
| Allow FaceTime | Off |
| Allow passcode modification | On |
| Allow Biometric ID to unlock device | Off |
| Allow install public apps | Off |
| Allow App Store icon on Home screen | Off |
| Force limited ad tracking | On |
| Show user-generated content in Siri | Off |
| Allow manual profile installation | Off |
| Allow configuring Restrictions | Off |
| Allow Erase All Contents and Settings | Off |
| Allow device name modification | Off |
| Allow wallpaper modification | Off |
| Allow account modification | Off |
| Allow Bluetooth Settings modification | Off |
| Allow system app removal | Off |
| Allow manual VPN creation | Off |
| Force Date & Time to be set automatically | On |
| Allow auto filling of passwords | On |
| Block Safari autofill | On |
| Allow sharing of Wi-Fi passwords | Off |
| Allow eSIM modificaiton | Off |
| Allow personal hotspot modification | Off |
|
Allow AirDrop * For iOS 17 +, disabling AirDrop prevents the NameDrop feature from triggering with devices in close proximity. |
Off |
| Allow USB Restricted mode | Off |
| Allow user to trust unmanaged enterprise apps | Off |
| Allow pairing with non-Configurator hosts | On |
| Force Wi-Fi whitelisting | On |
